quartz-markdown-editor

Incident Summary

Glassworm Unicode Attack on quartz-markdown-editor

The Glassworm threat actor published a malicious version of the quartz.quartz-markdown-editor VS Code extension. Its payload was concealed with invisible PUA Unicode characters, hiding credential-theft logic in plain source view while the extension worked as a quiet collector of authentication tokens and secrets.

Date: 2025-10-17 to 2026-03-13
Category: Open Source
Target Surface: Distribution
Insertion Phase: distribution
Impact: Credential theft
Cause: Malicious Injection

What Was Affected

Package quartz-markdown-editor

LanguageJavaScript

ComponentExtension

Artifact typeextension

Domain typepackage host

Domain marketplace.visualstudio.com

Compromised Versions

0.3.0

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: No
User Impact: 0
Observed Duration: 147 days

External References

aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode

Source Data

Source record: oss/quartz-markdown-editor/meta.yaml